Adds CMK for CosmosDB Account

* Closes #7798

azurerm/internal/services/cosmos/cosmosdb_account_data_source.go

@@ -138,6 +138,11 @@ func dataSourceArmCosmosDbAccount() *schema.Resource {
 				},
 			},
 
+			"key_vault_key_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
 			"enable_multiple_write_locations": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -253,6 +258,10 @@ func dataSourceArmCosmosDbAccountRead(d *schema.ResourceData, meta interface{})
 		d.Set("enable_free_tier", resp.EnableFreeTier)
 		d.Set("enable_automatic_failover", resp.EnableAutomaticFailover)
 
+		if v := props.KeyVaultKeyURI; v != nil {
+			d.Set("key_vault_key_id", resp.KeyVaultKeyURI)
+		}
+
 		if err = d.Set("consistency_policy", flattenAzureRmCosmosDBAccountConsistencyPolicy(resp.ConsistencyPolicy)); err != nil {
 			return fmt.Errorf("Error setting `consistency_policy`: %+v", err)
 		}

azurerm/internal/services/cosmos/cosmosdb_account_resource.go

@@ -117,6 +117,13 @@ func resourceArmCosmosDbAccount() *schema.Resource {
 				Default:  false,
 			},
 
+			"key_vault_key_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: azure.ValidateKeyVaultChildId,
+			},
+
 			"consistency_policy": {
 				Type:     schema.TypeList,
 				Required: true,
@@ -371,6 +378,7 @@ func resourceArmCosmosDbAccountCreate(d *schema.ResourceData, meta interface{})
 	enableFreeTier := d.Get("enable_free_tier").(bool)
 	enableAutomaticFailover := d.Get("enable_automatic_failover").(bool)
 	enableMultipleWriteLocations := d.Get("enable_multiple_write_locations").(bool)
+	keyVaultKeyURI := d.Get("key_vault_key_id").(string)
 
 	r, err := client.CheckNameExists(ctx, name)
 	if err != nil {
@@ -402,6 +410,7 @@ func resourceArmCosmosDbAccountCreate(d *schema.ResourceData, meta interface{})
 			Capabilities:                  expandAzureRmCosmosDBAccountCapabilities(d),
 			VirtualNetworkRules:           expandAzureRmCosmosDBAccountVirtualNetworkRules(d),
 			EnableMultipleWriteLocations:  utils.Bool(enableMultipleWriteLocations),
+			KeyVaultKeyURI:                &keyVaultKeyURI,
 		},
 		Tags: tags.Expand(t),
 	}
@@ -595,6 +604,10 @@ func resourceArmCosmosDbAccountRead(d *schema.ResourceData, meta interface{}) er
 		d.Set("enable_automatic_failover", resp.EnableAutomaticFailover)
 	}
 
+	if v := resp.KeyVaultKeyURI; v != nil {
+		d.Set("key_vault_key_id", resp.KeyVaultKeyURI)
+	}
+
 	if v := resp.EnableMultipleWriteLocations; v != nil {
 		d.Set("enable_multiple_write_locations", resp.EnableMultipleWriteLocations)
 	}

website/docs/d/cosmosdb_account.html.markdown

@@ -45,6 +45,8 @@ The following attributes are exported:
 
 * `kind` - The Kind of the CosmosDB account.
 
+* `key_vault_key_id` - The Key Vault URI for encryption
+
 * `ip_range_filter` - The current IP Filter for this CosmosDB account
 
 * `enable_free_tier` - If Free Tier pricing option is enabled for this CosmosDB Account.

website/docs/r/cosmosdb_account.html.markdown

@@ -92,6 +92,8 @@ The following arguments are supported:
 
 * `is_virtual_network_filter_enabled` - (Optional) Enables virtual network filtering for this Cosmos DB account.
 
+* `key_vault_key_id` - (Optional) A Key Vault URI for encryption eg. `https://<vault-name>.vault.azure.net/keys/<key-name>` 
+
 * `virtual_network_rule` - (Optional) Specifies a `virtual_network_rules` resource, used to define which subnets are allowed to access this CosmosDB account.
 
 * `enable_multiple_write_locations` - (Optional) Enable multi-master support for this Cosmos DB account.